( subtype eq vpn )

( subtype eq vpn ) and ( severity eq critical )

( eventid eq tunnel-status-up ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is down' )

( eventid eq tunnel-status-down ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is down' )

( eventid eq ike-nego-p1-fail-common ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.1.1 (type ipaddr) does not match a configured IKE gateway.' )

IKE Crypto does not match.

( subtype eq vpn ) and ( severity eq low )

( eventid eq ike-nego-p1-dpd-dn ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 SA is down determined by DPD.' )

( subtype eq vpn ) and ( severity eq informational )

( description contains 'KEYMGR sync all IPSec SA to Flow started.' )

( description contains 'KEYMGR sync all IPSec SA to Flow started.' )

( eventid eq ike-nego-p1-fail-common ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKE phase-1 negotiation is failed. no suitable proposal found in peer\'s SA payload.' )

( eventid eq ike-config-p1-success ) and ( description contains 'IKE daemon configuration load phase-1 succeeded.' )

( eventid eq ike-config-p1-abort ) and ( description contains 'IKE daemon configuration load phase-1 aborted.' )

( eventid eq ike-config-p2-success ) and ( description contains 'IKE daemon configuration load phase-2 succeeded.' )

( eventid eq ike-generic-event ) and ( description contains 'ignore the packet, expecting the packet encrypted.' )

( eventid eq ike-generic-event ) and ( description contains 'few isakmp message received.' )

( eventid eq ike-generic-event ) and ( description contains 'no proposal chosen.' )

( eventid eq ike-generic-event ) and ( description contains 'unknown ikev2 peer' )

( eventid eq ike-recv-notify ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol notification message received: INVALID-SPI (11).' )

( eventid eq ike-recv-notify ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol notification message received: INITIAL-CONTACT (24578).' )

( eventid eq ike-nego-p1-start ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is started as responder, main mode. Initiated SA: 192.168.1.1[500]-11.22.33.44[500] cookie:da9d6ef6d29fc158:ee3c8c80d04eb5da.' )

( eventid eq ike-nego-p1-succ ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is succeeded as responder, main mode. Established SA: 192.168.1.1[500]-11.22.33.44[500] cookie:da9d6ef6d29fc158:ee3c8c80d04eb5da lifetime 28800 Sec.' )

( eventid eq ike-nego-p1-expire ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 SA is expired SA: 192.168.1.1[500]-11.22.33.44[500] cookie:bc2888b0a72f89a0:c114fe089bf2d37d.' )

( eventid eq ike-nego-p1-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 SA is deleted SA: 192.168.1.1[500]-11.22.33.44[500] cookie:bc2888b0a72f89a0:c114fe089bf2d37d.' )

( eventid eq ike-nego-p1-fail ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 192.168.1.1[500]-11.22.33.44[500] cookie:28bd6af9813b58d8:0000000000000000. Due to timeout.' )

( eventid eq ike-nego-p1-fail-common ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is failed. IKE phase-1 request from gateway IKE_GW_NAME is rejected: aggr mode is not allowed by configuration.' )

Someone tried to connect but we could not fine a gateway with their IP.

( eventid eq ike-nego-p1-fail-common ) and ( object eq IKE_GW_NAME ) and ( object eq '11.22.33.44[500]' ) and ( description contains 'IKE phase-1 negotiation is failed. Couldn\'t find configuration for IKE phase-1 request for peer IP 11.22.33.44[500].' )

( eventid eq ike-send-notify ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol notification message sent: NO-PROPOSAL-CHOSEN (14).' )

( eventid eq ike-send-p1-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol phase-1 SA delete message sent to peer. cookie:bc2888b0a72f89a0:c114fe089bf2d37d.' )

( eventid eq ike-recv-p1-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol phase-1 SA delete message received from peer. cookie:823406e89cc4a53d:a02bb471dd4a9531.' )

( eventid eq ike-nego-p2-stale-p1 ) and ( object eq IKE_GW_NAME ) and ( description contains 'Deleting a possible stale phase-1 SA. cookie:ddde6812320597bc:1080390072deae5a.' )

( eventid eq ike-nego-p2-start ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: 192.168.1.1[500]-11.22.33.44[500] message id:0xC9732D7B.' )

( eventid eq ike-nego-p2-succ ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: 192.168.1.1[500]-11.22.33.44[500] message id:0xC9732D7B, SPI:0xF05AF6FF/0x926E4E25.' )

( eventid eq ike-nego-p2-simul-fail ) and ( object eq IKE_GW_NAME ) and ( description contains 'simultaneous phase-2 rekey request detected, peer is PANOS. Previous request removed. (isakmp message-id 0x00000000).' )

( eventid eq ike-nego-p2-fail ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 172.23.13.69[500]-35.160.196.102[500] message id:0xF0E508BD. Due to negotiation timeout.' )

( eventid eq ike-nego-p2-simul-cont ) and ( object eq '11.22.33.44[500]' ) and ( description contains 'simultaneous phase-2 rekey request detected, peer is PANOS. Ignore this new request. (isakmp message-id 0x1B58A60E).' )

( eventid eq ike-nego-p2-proxy-id-bad ) and ( object eq ike-gw-partner-loro-t1 ) and ( description contains 'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 172.20.11.0/24 type IPv4_subnet protocol 0 port 0, received remote id: 169.254.201.96/30 type IPv4_subnet protocol 0 port 0.' )

This means that the IPsec crypto does not match

( eventid eq ikev2-nego-child-proposal-bad ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKEv2 child SA negotiation failed when processing SA payload. no suitable proposal found in peer\'s SA payload.' )

( eventid eq ikev2-nego-child-start ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 10.1.1.12[500]-10.1.1.11[500] message id:0x00000001.' )

( eventid eq ikev2-nego-ike-fail ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKEv2 IKE SA negotiation is failed as responder, non-rekey. Failed SA: 10.1.1.12[500]-10.1.1.11[500] SPI:e076d3e7b7539fb6:d8ca8e604c94f68e.' )

This means that the IKE Crypto does not match.

( eventid eq ike-generic-event ) and ( description contains 'no proposal chosen.' )

This means that the IPsec crypto does not match.

( eventid eq ike-nego-p2-proposal-bad ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer\'s SA payload.' )

( eventid eq ike-send-p2-delete ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE protocol IPSec SA delete message sent to peer. SPI:0xCFCBA3AF.' )

( eventid eq ike-recv-p2-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol IPSec SA delete message received from peer. SPI:0x3EE477E4.' )

( eventid eq ipsec-key-install ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IPSec key installed. Installed SA: 192.168.1.1[500]-11.22.33.44[500] SPI:0xF05AF6FF/0x926E4E25 lifetime 3600 Sec lifesize unlimited.' )

( eventid eq ipsec-key-expire ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IPSec key lifetime expired. Expired SA: 192.168.1.1[500]-11.22.33.44[500] SPI:0xCFCBA3AF/0x3EE477E4.' )

( eventid eq ipsec-key-delete ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IPSec key deleted. Deleted SA: 192.168.1.1[500]-11.22.33.44[500] SPI:0xCFCBA3AF/0x3EE477E4.' )

( eventid eq tunnel-status-up ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is up' )

( eventid eq ike-daemon-exit ) and ( description contains 'IKE daemon has exited.' )

( eventid eq keymgr-ike-full-sync-abort ) and ( description contains 'KEYMGR sync all IPSec SA to IKE daemon no longer needed.' )

( eventid eq keymgr-daemon-exit ) and ( description contains 'KEYMGR daemon has exited.' )

( eventid eq ike-daemon-init ) and ( description contains 'IKE daemon is initializing.' )

( eventid eq keymgr-daemon-init ) and ( description contains 'KEYMGR daemon is initializing.' )

( eventid eq keymgr-flow-full-sync-abort ) and ( description contains 'KEYMGR sync all IPSec SA to Flow no longer needed.' )

( eventid eq ike-daemon-start ) and ( description contains 'IKE daemon is ready.' )

( eventid eq keymgr-daemon-start ) and ( description contains 'KEYMGR daemon is ready.' )

( eventid eq keymgr-ike-full-sync-done ) and ( description contains 'KEYMGR sync all IPSec SA to IKE daemon exit.' )

( eventid eq ike-config-p1-success ) and ( description contains 'IKE daemon configuration load phase-1 succeeded.' )

( eventid eq ike-config-p2-success ) and ( description contains 'IKE daemon configuration load phase-2 succeeded.' )

( eventid eq keymgr-flow-full-sync-start ) and ( description contains 'KEYMGR sync all IPSec SA to Flow started.' )

( eventid eq keymgr-flow-full-sync-done ) and ( description contains 'KEYMGR sync all IPSec SA to Flow exit.' )

( eventid eq ike-generic-event ) and ( description contains 'received notify type ESP_TFC_PADDING_NOT_SUPPORTED' )

( eventid eq ikev2-nego-fail-common ) and ( object eq IKE_GW_OTHERNAME ) and ( description contains 'IKEv2 SA negotiation is failed. received notify type ESP_TFC_PADDING_NOT_SUPPORTED' )